Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7 Update .exe wants internet.


  • Please log in to reply
2 replies to this topic

#1 w1L50n

w1L50n

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 20 July 2015 - 01:23 PM

Recently I used Acronis to restore to an earlier version...much earlier.
As a bit of info, I have several partitions and keep Win7 on it's own, and different data (data only) on the others.
So I retored C: (os only) to a nice known (more or less) clean state, and I also elected to restore the MBR and Track 0 as well. This is because I have suspicions...but that is a larger issue which I will be addressing at another time.
At any rate, the computer thinks it is 2012 as far as windows updates in concerned, and I had a massive 170 uptates to dLoad and install....so be it.
 
During the updating, my anti-virus program Webroot, popped up saying a file wanted to access the internet. The file was from C:...something something flashplayer...so I blocked it. Of course Adobe wants to update it's stuff too, but one thing at a time. I got a couple more like that, that more or less made sense what they were and I blocked as well, I think I let one thru as it didn't seem to be adobe and thought it was maybe part of the update process. But then I saw something like this:
 
A file is requesting access to the internet
S:\348h&12eq99234.exe
 
That is not the exact jibberish (I do have screenshots), but I'm sure about the .exe part.
The other thing is that drive S: has nothing to do with the os, but it is where I keep movies and other downloads. I blocked it. I got several more the same...about 3 or 4 all told.
So my question is:
When doing a windows update, does the process EVER put an .exe to another drive (maybe the one with most extra space?) and then request internet access??
That is the only legit thing I can think of; but I can also think of some other quite darker things; as I said, I already have suspicions.
Scans from Webroot and Spybot 2.4 showed nothing before I started this, and I couldn't see any weird long jibberish .exe files on my S: drive.
The whole reason I was doing a big old restore to C: and MBR is, as I said, have some grave suspicions, although, it's entirely possible that it is a string of anomalous coincidences.
But now there is this S: drive .exe file thing too....
Am I ok? or does this look like trouble?

Edited by hamluis, 20 July 2015 - 01:57 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 wing987

wing987

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Payette, ID
  • Local time:09:31 PM

Posted 20 July 2015 - 02:56 PM

It is my opinion that if you started fresh with your OS, then attached a drive to it that was NOT cleaned and erased, then you have likely re-infected your system. A file can exist for a short period of time, being created to "phone home" and then deleted when done or failed, resulting in you being unable to locate it. Additionally, it could exist buried somewhere hidden within a folder.  I am not sure what video's you have, but if they are illegally downloaded you should be aware that they often come with hitchhikers, meaning they could be the source of any infection.  This could be true of a picture or document as well, although it is much easier if it is an MSI or EXE file. So you must assume that you are infected, especially with the source being an unknown file and from a drive that is not your C drive (there are exceptions to this "rule" but they are few and unlikely in the given scenario).

 

So, lets start over:

 

*Do a fresh install of a KNOWN GOOD system....either the original disks or hidden partition for recovery that came with your system, or a brand new OS install purchased from Microsoft (in this case).

*Do NOT connect your S drive, or any other media of any sort to the computer, this includes CD's not used in the install and thumbdrives, cameras, etc. 

*Connect the now "newborn" computer to the internet and download all of the MS updates. Do NOT block them, your computer will still be clean.

*Then download your antivirus and system protection software that you use, at this point you lose any guarantee of a clean system. If you use a reputable program downloaded from a reputable source it is most likely still clean. (of note: sources like sourceforge.com or download.com are NOT reputable sources)

*After you are certain that you are protected connect your S drive.

*If you get ANY alerts at that point, then assume the entire S drive and C drive are compromised. Although there are good fixes that work in most scenarios, the only true way to ensure that you are 100% clean is to wipe everything and start from scratch.

 

Did this help you identify if you are infected?


-- Windows 7 Ultimate on custom built system, Windows 10 on under powered laptop. Sophos UTM 9, Ubuntu Server and Windows Server 2008 R2. HyperV Virtualization --

 

"The hottest places in hell are reserved for those who in a period of moral crisis maintain their neutrality," John F. Kennedy


#3 w1L50n

w1L50n
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 20 July 2015 - 08:01 PM

So what I'm hearing is that an .exe file asking for internet connection is NOT part of Windows Update in it's infinite complexity, and very likely malware that is going undetected by Webroot and Spybot. As you said, being temporary, but in some incarnation persistant across MBR and Op Sys restore, probably hiding in a data drive/folder.

If this assumption is correct, it would 'phone home' without any opening of the file or folder it persists in?

It is operating out of a data only partition and attempting to contact a server and infect / re-infect the os?

I don't know much about how malware etc. works. I joined this forum to get educated on the methods malware infects. I always relied on regularly restoring my os and MBR. I do have ghost files from before the computers ever saw the internet, I do not have original disks as they don't include them anymore.

 

Basically you answered questions I was going to be asking..but let's skip ahead. I understand and agree with everything you have said, and at a certain point, this particular lappy is going linux. I am forced to keep it as a Win7 for awhile tho.

The problem is S: drive is not an external drive but a partition of the physical native disk. Therefore, the only way is to copy all data I need to an external, consider it infectious, zero-wipe the entire drive, install Ubuntu. Now I have a clean Linux system and a questionable external drive with data.

 

I must assume I will be having the same problem with a Win7 Laptop that will be staying Win7, and the cure will be the same as above, and as you have stated.

 

The problem will come when I want / need data existing on the infectious external drive now. Would it be fair to assume .txt files that I made along the way, and Openoffice files I made would be ok? Nothing would hide in my own files, but only on downloaded files?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users